CIA, NSA and the Pentagon still aren’t using a basic email security feature

Some of the most sensitive U.S. government departments and agencies still aren’t using a basic email security feature that would significantly cut down on incoming spam or phishing emails.

Fifteen percent of all U.S. government domains still aren’t employing DMARC, or domain-based message authentication, reporting, and conformance policy on their domains, which email systems use to verify the identity that the sender of an email is not an impersonator.

New data from security firm Agari shows that out of over a thousand federal domains, 75 percent have a DMARC policy that either monitors, quarantines to your spam folder or entirely rejects all spoofed emails.

But the CIA, the NSA, and the Department of Defense are among the outliers still haven’t rolled out DMARC across their web domains.

That’s despite Tuesday’s deadline for BOD 18-01, a directive issued by Homeland Security that ordered the rollout of DMARC a year ago, following complaints by a leading Democratic senator.

BOD 18-01 aimed to improve email and cybersecurity across the federal government by introducing email encryption (STARTTLS) and doubling down on use of HTTPS certificates across the government. By cranking up the DMARC settings to its safest by outright rejecting unverified email, government departments would comply with the directive by bouncing any unauthenticated email from user inboxes.

That may not sound too important, but it means that now that a sizable portion of the federal government — and intelligence agencies — aren’t protected against an easy class of impersonated emails.